Need Help Please!

Well I have recently had a lot of pop-ups of legal/illegal medications, phone sex hot lines, and various other things having to do with porn. My son uses this computer the most (I use my laptop) so I'm assuming he's getting to that age where starts to masterbate, but I can't comply with that if he gets this computer all messed up.

I will be doing something and all of a sudden whatever window I have open minimizes and I see a pop up come. Then I have something that tells me I have a security threat in my system and tells me where to find some anti-spyware tools for it. I clicked on it and did a google search to make sure it wasn't a virus as well. The first page was overall positive so it looked legitimate. I downloaded it and it's just gotten worse.

I had the same problem with my computer the link it takes you too is infact a virus and if u click on it at different time the name and look of the page that it takes you to will be different. I don't think its because your son has been downloading porn however it is more likly he downloaded what he thought was a CD-Keygen which installed this program on your computer. For me it was Doom 3 ressurection of evil.

You have several options of trying to remove it and i would suggest that you follow the options in this order.

1. Try a system restore to an earlier date depending on when this started. At first this worked for me however i had to undo the restore for other reason and after that then it diddn't work at all.

2. dosconnect from the internet and install an Anti-virus,Firewall, and Anti-spyware. You can get free versions for all of these as long as it is for home use only.

I would suggest that even if the first step works you still do these and while still offline run both spybot and avast.

3. The method i used in the end was a complete OS reinstall which involves wiping the entire hard drive and starting again. I also had other reason for doing this as well but the virus was one of the main ones. It is good to have an external hard drive that you can copy all your important files too before doing this as well. There are also other advantages to doing this every once in a while anyway.

Anyway hope you get the problem fixed using the first 2 steps and you wont have to go and reformat your hard drive and if anyone knows another way to get rid of this virus then please let me know.

you seem to have a typical "Intcodec" infection. This is not only distributed by fake porn sites, making visitors believe that they need a special video codec to view porn movies but it's also reported that it popped up during Quicktime updates and on video sites or alike. The "IntCodec" Trojan (Win32.Zlob) has the typical payload of a trojan backdoor plus a "Spywarequake" hijacker component. The infected computer's Internet Explorer (it fails with other browsers as usual - don't use IE) is hijacked and redirected to the fake "PestTrap" company site, offering you a fake solution for real money.

Sorry, I'm no malware removal expert and can give you only vague hints on what to do. You may want to wait for one of the mods here, which are much better in that.

[Zlob]
Any decent antivirus software (not Norton, sorry :)) should be able to remove it. Since I don't have too much experience with other programs, I can only recommend "Avira Antivir Personal Edition Classic" at the moment. It knows Zlob, it's free and a fine antivirus software anyway. Download here: http://www.free-av.com (end of commercial) Disable Antivir's "Guard" (resident online virus scanner portion of Antivir) to be sure it doesn't interfere with Norton's. Update it first!
Then, before starting Antivir turn off System Restore to delete all restore points, since Zlob hides there, too. (You can turn it back on when everything is removed)Start Antivir and do a full scan. Let it delete anything it finds.

[SpywareQuake]
The browser hijacker component can be removed with SmitfraudFix

Remember, I'm not sure about all this and if it can be that easy. Maybe I forgot something important. BTW I think your posting is very well done - just as it should be, pretty easy to see what happened! Thumbs up! :D

Thanks a lot for the tips guys. There is nothing noticably wrong anymore but I would stil like to verify this through the log as I might still be keylogged or have other spyware. This has various financil information (:confused: ) so I have double checked everything so far and will check again to make sure no fradulent transactions are occuring (viewed over safe network at my company).

Here is my AntiVir Log. It didn't find ANYTHING that it thoguht was a virus I did however get 30 WARNINGS. Near the bottom it lists a few files saying it can't read them. Does this mean this user account doesn't have enough privelages for the software to view them? And if so should I look into making sure those files aren't infected?

The scan over running processes will be started
49 Processes was scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Boot sector 'F:\'
[NOTE] In the drive 'F:\' no data medium is inserted!
Boot sector 'G:\'
[NOTE] In the drive 'G:\' no data medium is inserted!
Boot sector 'H:\'
[NOTE] In the drive 'H:\' no data medium is inserted!
Boot sector 'I:\'
[NOTE] In the drive 'I:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( 28 files ).

Starting the file scan:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60fdfb9a259d7511cca6977ac6baf7a2_082b88de-f927-4549-8eb0-43027dc3cb67
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Nikla$\ntuser.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Nikla$\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Nikla$\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Nikla$\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SoftwareDistribution\EventCache\{B2148C86-8CAD-4D35-80D3-3286B5D5FA7C}.bin
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\JETBF39.tmp
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\JETC17B.tmp
[WARNING] The file could not be opened!
The path A:\ could not be found!
The device is not ready.

Your log looks cleaner now, but the O15 entries ("trusted zone") are still there. Did you fix them with HJT? That would mean they came back. So still no all-clear-signal from here until you say you forgot them.

Antivir report:
I assume that you killed the \IntCodec\ folder prior to the scan and that you (with some assistance from Norton) deleted the main malware components in first place. Then I can understand why Antivir didn't find something. (I have seen Antivir's Guard detecting Intcodec/Zlob recently and personally) The warnings from Antivir are normal (mostly related to 0-Byte files) exept the last ones:

C:\WINDOWS\Temp\JETBF39.tmp
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\JETC17B.tmp
[WARNING] The file could not be opened!

I'm afraid I forgot to mention that you should clean your [...\Windows\Temp], your [documents and settings\<owner>\local settings\temp] and the ...\temporary internet\... folders. I guess these files are harmless (no executables) but I would feel better if you do another scan. The following may be useless, but anyway:

Configure Antivir a bit sharper:
Start the Antivir main program, then click on "Configuration" (on the right side). A tree view pops up on the left side. Open the "Search" branch, then select "Heuristic" (sorry, I have only the german version and have to guess how thats labeled on yours), the last entry. Set a mark on each of the two checkboxes that should have appeared.

Now restart your computer in Safe Mode and do the scan again. Don't get frightened: Heuristic search may result in some false alarms. Post the report again if it finds something.

I would be a bad guy if I don't remind you that you should take more care of security issues if you do money related stuff with that computer. Sensible data could have been stolen already: The malware files you deleted were active until you did that. Most Zlob variants are harmless compared to other malware but...

Some variants of Trojan-Downloader.Zlob.Media-Codec have backdoor functionality, giving a remote attacker the ability to control and use the infected machine for malicious purposes.

That means that most likely no keylogging or other data gathering action was going on. This was a warning shot trojan...;)

I know that those 2 webservers are in the trusted download zone.
For some reason none of my firewalls will allow me to download from that site (which I do really trust, acquaintance is the admin) so I have to add it to the trusted list for it to work.

Graphic Drivers screwed up for some reason. No idea if they were infected or not but I cleared them out with Driver Cleaner Pro and installed the latest drivers from evga and everything works, might I say, better than before!

Running all anti-virus programs I have one more time to make sure I didn't miss anything and then I'll create a system restore point.

For some reason none of my firewalls will allow me to download from that site (which I do really trust, acquaintance is the admin) so I have to add it to the trusted list for it to work.

That's (firewall) why these entries are potentially dangerous, and yours just looked like the usual weird sites that are registered there by malware. Now I learned not to think that every strange looking site belongs to an evil chinese server and that I should perform a whois request before scaring people ;). Learning about such things is one of the reasons why I'm here, thank you very much for that information!

Everywhere I look on the internet that has talked about this virus/trojan has never said that it could stop your computer from booting altogether. It has in my case.

Right after it was installed, I think, the computer completely locked up and when I try to reboot and go to Windows, it gets pass the loading sceen and then just sits on a blank screen (usually where the password part would be loaded).

I can only boot the system into plain old safe mode. I've deleted all the files that I could find that came with the download and nothing has worked. Hijack This does not detect anything related to the trojan on my PC anymore, atleast as far as I can tell (i should probably submit a report).

Furthmore, since I can ONLY use regular safe mode, I can't access the internet to download removal tools or to update my softwares, and I can't get my portable flash drives to be read in safe mode either, so even if I download removal tools from another computer and put them on the flash drive, I STILL can't transfer them to my computer that's seemingly damaged.